Link Search Menu Expand Document

Broken JSON Web Token in Go Lang

Vulnerable example

Go does not provide a native way to handle JWTs; however, third-party libraries do exist, for example github.com/dgrijalva/jwt-go. For example, a JWT could be generated with:

var JWTSecret = []byte("supersecret") // (!!!)

func GenerateJWT(username string) string {
    token := jwt.New(jwt.SigningMethodHS256)
    claims := token.Claims.(jwt.MapClaims)
    claims["username"] = username
    t, _ := token.SignedString(JWTSecret)
    return t
}

GenerateJWT("john.doe")

The supersecret string is far from being random and unpredictable, a malicious user with the knowledge of the JWTSecret value is able to forge arbitrary JWTs and ultimately impersonate the users of the web application.

Prevention

The crucial part there is to choose a reasonably secure JWTSecret as shown in the following example:

$ dd status=none if=/dev/urandom bs=1 count=50 | sha512sum
1cdfcf2d5a1b182014eb5ddb49c9c18fd72e29e22dd1eb59af2c7b30fce5b85fb1892b1189d1b37517d83845a6af2564ec16543b8e4071f9426f471c3f3d33cd  -

References

Auth0 - Critical vulnerabilities in JSON Web Token libraries Auth0 - JWT Debugger